1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
|
/**
* @file peer_cfg.h
*
* @brief Interface of peer_cfg_t.
*
*/
/*
* Copyright (C) 2007 Tobias Brunner
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef PEER_CFG_H_
#define PEER_CFG_H_
typedef enum dpd_action_t dpd_action_t;
typedef enum cert_policy_t cert_policy_t;
typedef struct peer_cfg_t peer_cfg_t;
#include <library.h>
#include <utils/identification.h>
#include <utils/linked_list.h>
#include <config/traffic_selector.h>
#include <config/proposal.h>
#include <config/ike_cfg.h>
#include <config/child_cfg.h>
#include <sa/authenticators/authenticator.h>
#include <sa/authenticators/eap/eap_method.h>
/**
* Certificate sending policy. This is also used for certificate
* requests when using this definition for the other peer. If
* it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
* included.
*
* @ingroup config
*
* @warning These definitions must be the same as in pluto/starter,
* as they are sent over the stroke socket.
*/
enum cert_policy_t {
/** always send certificates, even when not requested */
CERT_ALWAYS_SEND = 0,
/** send certificate upon cert request */
CERT_SEND_IF_ASKED = 1,
/** never send a certificate, even when requested */
CERT_NEVER_SEND = 2,
};
/**
* enum strings for cert_policy_t
*
* @ingroup config
*/
extern enum_name_t *cert_policy_names;
/**
* @brief Actions to take when a peer does not respond (dead peer detected).
*
* These values are the same as in pluto/starter, so do not modify them!
*
* @ingroup config
*/
enum dpd_action_t {
/** DPD disabled */
DPD_NONE,
/** remove CHILD_SAs without replacement */
DPD_CLEAR,
/** route the CHILD_SAs to resetup when needed */
DPD_ROUTE,
/** restart CHILD_SAs in a new IKE_SA, immediately */
DPD_RESTART,
};
/**
* enum names for dpd_action_t.
*/
extern enum_name_t *dpd_action_names;
/**
* @brief Configuration of a peer, specified by IDs.
*
* The peer config defines a connection between two given IDs. It contains
* exactly one ike_cfg_t, which is use for initiation. Additionally, it contains
* multiple child_cfg_t defining which CHILD_SAs are allowed for this peer.
* @verbatim
+-------------------+ +---------------+
+---------------+ | peer_cfg | +---------------+ |
| ike_cfg | +-------------------+ | child_cfg | |
+---------------+ | - ids | +---------------+ |
| - hosts | 1 1 | - cas | 1 n | - proposals | |
| - proposals |<------| - auth info |-------->| - traffic sel | |
| - ... | | - dpd config | | - ... |-+
+---------------+ | - ... | +---------------+
+-------------------+
@endverbatim
*
* @b Constructors:
* - peer_cfg_create()
*
* @ingroup config
*/
struct peer_cfg_t {
/**
* @brief Get the name of the peer_cfg.
*
* Returned object is not getting cloned.
*
* @param this calling object
* @return peer_cfg's name
*/
char* (*get_name) (peer_cfg_t *this);
/**
* @brief Get the IKE version to use for initiating.
*
* @param this calling object
* @return IKE major version
*/
u_int (*get_ike_version)(peer_cfg_t *this);
/**
* @brief Get the IKE config to use for initiaton.
*
* @param this calling object
* @return the IKE config to use
*/
ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
/**
* @brief Attach a CHILD config.
*
* @param this calling object
* @param child_cfg CHILD config to add
*/
void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
/**
* @brief Create an iterator for all attached CHILD configs.
*
* @param this calling object
* @return an iterator over all CHILD configs.
*/
iterator_t* (*create_child_cfg_iterator) (peer_cfg_t *this);
/**
* @brief Select a CHILD config from traffic selectors.
*
* @param this calling object
* @param my_ts TS for local side
* @param other_ts TS for remote side
* @param my_host host to narrow down dynamic TS for local side
* @param other_host host to narrow down dynamic TS for remote side
* @return selected CHILD config, or NULL if no match found
*/
child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
linked_list_t *other_ts, host_t *my_host,
host_t *other_host);
/**
* @brief Get own ID.
*
* @param this calling object
* @return own id
*/
identification_t* (*get_my_id)(peer_cfg_t *this);
/**
* @brief Get peers ID.
*
* @param this calling object
* @return other id
*/
identification_t* (*get_other_id)(peer_cfg_t *this);
/**
* @brief Get own CA.
*
* @param this calling object
* @return own ca
*/
identification_t* (*get_my_ca)(peer_cfg_t *this);
/**
* @brief Get peer CA.
*
* @param this calling object
* @return other ca
*/
identification_t* (*get_other_ca)(peer_cfg_t *this);
/**
* @brief Get list of group attributes.
*
* @param this calling object
* @return linked list of group attributes
*/
linked_list_t* (*get_groups)(peer_cfg_t *this);
/**
* @brief Should be sent a certificate for this connection?
*
* @param this calling object
* @return certificate sending policy
*/
cert_policy_t (*get_cert_policy) (peer_cfg_t *this);
/**
* @brief Get the authentication method to use to authenticate us.
*
* @param this calling object
* @return authentication method
*/
auth_method_t (*get_auth_method) (peer_cfg_t *this);
/**
* @brief Get the EAP type to use for peer authentication.
*
* If vendor specific types are used, a vendor ID != 0 is returned to
* to vendor argument. Then the returned type is specific for that
* vendor ID.
*
* @param this calling object
* @param vendor receives vendor specifier, 0 for predefined EAP types
* @return authentication method
*/
eap_type_t (*get_eap_type) (peer_cfg_t *this, u_int32_t *vendor);
/**
* @brief Get the max number of retries after timeout.
*
* @param this calling object
* @return max number retries
*/
u_int32_t (*get_keyingtries) (peer_cfg_t *this);
/**
* @brief Get a time to start rekeying (is randomized with jitter).
*
* @param this calling object
* @return time in s when to start rekeying, 0 disables rekeying
*/
u_int32_t (*get_rekey_time)(peer_cfg_t *this);
/**
* @brief Get a time to start reauthentication (is randomized with jitter).
*
* @param this calling object
* @return time in s when to start reauthentication, 0 disables it
*/
u_int32_t (*get_reauth_time)(peer_cfg_t *this);
/**
* @brief Get the timeout of a rekeying/reauthenticating SA.
*
* @param thsi calling object
* @return timeout in s
*/
u_int32_t (*get_over_time)(peer_cfg_t *this);
/**
* @brief Use MOBIKE (RFC4555) if peer supports it?
*
* @param this calling object
* @return TRUE to enable MOBIKE support
*/
bool (*use_mobike) (peer_cfg_t *this);
/**
* @brief Get the DPD check interval.
*
* @param this calling object
* @return dpd_delay in seconds
*/
u_int32_t (*get_dpd_delay) (peer_cfg_t *this);
/**
* @brief What should be done with a CHILD_SA, when other peer does not respond.
*
* @param this calling object
* @return dpd action
*/
dpd_action_t (*get_dpd_action) (peer_cfg_t *this);
/**
* @brief Get a virtual IP for the local peer.
*
* If no virtual IP should be used, NULL is returned. %any means to request
* a virtual IP using configuration payloads. A specific address is also
* used for a request and may be changed by the server.
*
* @param this peer_cfg
* @param suggestion NULL, %any or specific
* @return clone of an IP, %any or NULL
*/
host_t* (*get_my_virtual_ip) (peer_cfg_t *this);
/**
* @brief Get a virtual IP for the remote peer.
*
* An IP may be supplied, if one was requested by the initiator. However,
* the suggestion is not more as it says, any address may be returned, even
* NULL to not use virtual IPs.
*
* @param this peer_cfg
* @param suggestion NULL, %any or specific
* @return clone of an IP to use
*/
host_t* (*get_other_virtual_ip) (peer_cfg_t *this, host_t *suggestion);
#ifdef P2P
/**
* @brief Is this a mediation connection?
*
* @param this peer_cfg
* @return TRUE, if this is a mediation connection
*/
bool (*is_mediation) (peer_cfg_t *this);
/**
* @brief Get peer_cfg of the connection this one is mediated through.
*
* @param this peer_cfg
* @return reference to peer_cfg of the mediation connection
*/
peer_cfg_t* (*get_mediated_by) (peer_cfg_t *this);
/**
* @brief Get the id of the other peer at the mediation server.
*
* This is the leftid of the peer's connection with the mediation server.
*
* If it is not configured, it is assumed to be the same as the right id
* of this connection.
*
* @param this peer_cfg
* @return the id of the other peer
*/
identification_t* (*get_peer_id) (peer_cfg_t *this);
#endif /* P2P */
/**
* @brief Get a new reference.
*
* Get a new reference to this peer_cfg by increasing
* it's internal reference counter.
* Do not call get_ref or any other function until you
* already have a reference. Otherwise the object may get
* destroyed while calling get_ref(),
*
* @param this calling object
*/
void (*get_ref) (peer_cfg_t *this);
/**
* @brief Destroys the peer_cfg object.
*
* Decrements the internal reference counter and
* destroys the peer_cfg when it reaches zero.
*
* @param this calling object
*/
void (*destroy) (peer_cfg_t *this);
};
/**
* @brief Create a configuration object for IKE_AUTH and later.
*
* name-string gets cloned, ID's not.
* Virtual IPs are used if they are != NULL. A %any host means the virtual
* IP should be obtained from the other peer.
* Lifetimes are in seconds. To prevent to peers to start rekeying at the
* same time, a jitter may be specified. Rekeying of an SA starts at
* (rekeylifetime - random(0, jitter)).
*
* @param name name of the peer_cfg
* @param ike_version which IKE version we sould use for this peer
* @param ike_cfg IKE config to use when acting as initiator
* @param my_id identification_t for ourselves
* @param other_id identification_t for the remote guy
* @param my_ca CA to use for us
* @param other_ca CA to use for other
* @param groups list of group memberships
* @param cert_policy should we send a certificate payload?
* @param auth_method auth method to use to authenticate us
* @param eap_type EAP type to use for peer authentication
* @param eap_vendor EAP vendor identifier, if vendor specific type is used
* @param keyingtries how many keying tries should be done before giving up
* @param rekey_time timeout before starting rekeying
* @param reauth_time timeout before starting reauthentication
* @param jitter_time timerange to randomly substract from rekey/reauth time
* @param over_time maximum overtime before closing a rekeying/reauth SA
* @param reauth sould be done reauthentication instead of rekeying?
* @param mobike use MOBIKE (RFC4555) if peer supports it
* @param dpd_delay after how many seconds of inactivity to check DPD
* @param dpd_action what to do with CHILD_SAs when detected a dead peer
* @param my_virtual_ip virtual IP for local host, or NULL
* @param other_virtual_ip virtual IP for remote host, or NULL
* @param p2p_mediation TRUE if this is a mediation connection
* @param p2p_mediated_by name of the mediation connection to mediate through
* @param peer_id ID that identifies our peer at the mediation server
* @return peer_cfg_t object
*
* @ingroup config
*/
peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
identification_t *my_id, identification_t *other_id,
identification_t *my_ca, identification_t *other_ca,
linked_list_t *groups, cert_policy_t cert_policy,
auth_method_t auth_method, eap_type_t eap_type,
u_int32_t eap_vendor,
u_int32_t keyingtries, u_int32_t rekey_time,
u_int32_t reauth_time, u_int32_t jitter_time,
u_int32_t over_time, bool mobike,
u_int32_t dpd_delay, dpd_action_t dpd_action,
host_t *my_virtual_ip, host_t *other_virtual_ip,
bool p2p_mediation, peer_cfg_t *p2p_mediated_by,
identification_t *peer_id);
#endif /* PEER_CFG_H_ */
|
